If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Wifi MAC address-based authentication

Sorry for asking such a noob question, but I figured I might get more help posting it here than in the Newbie section.

Network cards come with MAC addresses, and some even allow you to change it. I was talking to that guy who told me that one of the best ways of securing a wireless network, is to allow connections based on the MAC address of the wifi cards.
But in that case, isn't it possible to eavesdrop on a connection, grab the MAC address and then change yours to that? Or do wifi cards not allow you to change your MAC address?

Apart from that and using WEP, any other suggestions on how to make a wireless network a bit more bulletproof?

WEP or WPA are your best bets combined with MAC address based connections. beyond that use sound local and network security on your systems, no anon access, strong file level permisions ect. On your gateway/firewall box set user limits on internet access. When doing wireless understand that your footprint into the world is *very* big, your best bet for security is security in depth.

Spoofing mac addresses is easy, on a scale of 1 to 5 with 5 being the most amount of knowledge needed to complete an intrusion attempt activity; I would rate it at 2. The factor in your favor is, the person has to be within range of the antenna to do anything. If you’re a high value target, I would think twice. I have a couple of decent papers I can did up, but just type "spoofing mac address" in google. Securing wireless connection by mac lockout is over rated. WEP has been all but made obsolete by cracker software and the method of authentication/communication is well documented. The real danger in wep is (my opinion) sniffing. An open wireless router easily becomes a funnel for sensitive information and depending on the motive of those listening, they may never make a move to give away their intention and set on it listening to email, authentication etc. I am discussing this from a point of view that sensitive information is not worth the risk of convenience. Wireless access should be segmented, like already pointed out. If it's your house, no big woop you can watch the connections but in a large environment that becomes difficult when compared with the benefit.

West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.

re: wi-fi security

Why kind of devices comprise your wlan?

i would suggest looking into (P)EAP if your Cisco based. The various EAP protocols (EAP, LEAP, and PEAP) can be used to secure wired switch ports as well.

If your not in a Cisco architecture, some vendors support EAP but i don't think they're in the majority; especially if you're talking home market vs. enterprise. I believe almost all home market devices support MAC filtering, which means you have to hard code all possible 'good' MACs into it. If you're planning on servicing a large number of clients, the upkeep could become a headache.

And MAC spoofing is trivial as RoadClosed pointed out.

Always remember that no one device/technology is going to solve all of your security woes. Layer your defenses and know where residual risk is located.

Most of the machines will be running a Windows of some sort, but the fileserver will definitely be running Linux.
I'm still hesitating for the proxy. Either I make the fileserver also act as a proxy, or run the proxy with Windows, which I am not too keen on but I do not have another free computer.
Alternatively, I suppose I could get a Wireless router, and that would take away the need of a proxy.

You will be ok, WPA is cheaper than it was a few months ago. I would get it and just look at the logs. Your risk is low and look for WPA wirelss routers and cards or USB devices for each PC that support it. Lock it down with MAC based access controls and encrypt it. It beats running Cat5 through a house already built. Since you are using winders and want to go a step further and utilize the OS. Check out this lady... nice article for home users. Hope you have newer versions of winders.

One thing I did not see mentioned is that in order to really make use of MAC spoofing you have to be on a LAN for the ARP to route, so put a firewall between your AP and your internal LAN then ARP posioning will not be possible,also just having the MAC of an authorized client will not give you the WEP key so you cant just hop on. Also sniffing is not as big of concern where some kind of TLS based system is in place with rotating WEP keys (802.1X stuff)

-Maestr0

\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Originally posted here by Maestr0 One thing I did not see mentioned is that in order to really make use of MAC spoofing you have to be on a LAN for the ARP to route, so put a firewall between your AP and your internal LAN then ARP posioning will not be possible,also just having the MAC of an authorized client will not give you the WEP key so you cant just hop on. Also sniffing is not as big of concern where some kind of TLS based system is in place with rotating WEP keys (802.1X stuff)

-Maestr0

This is probably one of the better sugestions, even if you are useing XEAP or WAP don't relay on just that , secure your boxes, if you are going to have a file server set it up as a domain server and set strong ntfs permisions on all your systems. Remember nothing is ever 100% secure the best bet is to make your system not worth the trouble it takes to break...security in depth.